CVE-2020-35650

Description

Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.35%
Vendor Advisory uncannyowl.com
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://www.uncannyowl.com/knowledge-base/uncanny-learndash-groups-changelog/ release notes vendor advisory
https://gist.github.com/michiiii/81d801f563138abe7da61e2d95342202 third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-35650?
CVE-2020-35650 has been scored as a medium severity vulnerability.
How to fix CVE-2020-35650?
To fix CVE-2020-35650, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-35650 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-35650 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.